According to the announcement, there are several vulnerabilities having to do with the Rails parameter parsing. Parameter parsing allows you to pass XML data to Rails to be parsed automatically into various Ruby types. This is a convenience feature, the client gives you XML and you magically get Ruby objects without having to manually parse them. However, several bugs in this code allows an attacker to do all types of nasty things, including arbitrary code execution and SQL injection.
This is big, you should be patching your servers or disabling this feature ASAP. There are detailed instructions in the vulnerability announcement on the mailing list.